CVE-2024-12601
Severity CVSS v4.0:
Pending analysis
Type:
CWE-400
Uncontrolled Resource Consumption ('Resource Exhaustion')
Publication date:
17/12/2024
Last modified:
05/06/2025
Description
The Calculated Fields Form plugin for WordPress is vulnerable to Denial of Service in all versions up to, and including, 5.2.63. This is due to unlimited height and width parameters for CAPTCHA images. This makes it possible for unauthenticated attackers to send multiple requests with large values, resulting in slowing server resources if the server does not mitigate Denial of Service attacks.
Impact
Base Score 3.x
5.30
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:codepeople:calculated_fields_form:*:*:*:*:*:wordpress:*:* | 5.2.64 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://plugins.trac.wordpress.org/browser/calculated-fields-form/trunk/captcha/captcha.php#L74
- https://plugins.trac.wordpress.org/browser/calculated-fields-form/trunk/captcha/captcha.php#L75
- https://plugins.trac.wordpress.org/changeset/3207826/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/1eade2ed-9a75-4857-a2c5-a21e016e7029?source=cve